The proliferation of internet- and mobile-connected devices—the ‘Internet of Everything’—has increased data traffic volume, transmission speeds and usage on communications networks. The ubiquity of device types and connections (cellular, wireless, multi-SIM, machine-to-machine) and the expansion of usage types (voice, high-definition video, music, data) have also made it more complex to monitor and secure these networks and to conduct analysis on the traffic and content.
To accomplish this, the traffic must be instrumented (what data is moving across the network), analyzed (what is the content of the traffic), and understood (what are the implications of this) so a relevant decision can be made or action taken within the available window of opportunity. This is especially so in the case of time-critical revenue, customer, operational, or security impacting events. Examples of such events include fraud occurring on mobile carrier networks, cellular zones dropping calls above an acceptable threshold, malfunctioning mobile applications, or malicious content or agents compromising a network.
This network data is captured by a variety of network probes sitting ‘inline’ (intrusively) inside the network. Network events must first ‘complete’ (example: after a voice call is completed and goes through ‘call teardown’) before they are translated into offline database records (example: Call Detail Records, Event Detail Records). These records are extracted at regular time intervals and provided to applications in offline enterprise data centers for post-event processing and analysis.
These systems can suffer from latency delays of up to 15 minutes for event data to be extracted and delivered to databases. In many cases, multiple terabytes of data are written into databases, posing ‘Big Data’ analytical challenges when time-critical results are needed. The inline hardware represents significant capital expenditures. These types of systems also provide a limited ability to respond flexibly to live conditions, as the application layer is not integrated contextually within the data collection layer. Database records are not generated for some network events that may provide indications of fraud or other critical issues that must be detected.
A use case is mobile carrier fraud detection that utilizes call detail records that have been delivered to a data warehouse after the relevant network traffic or calls have been completed. Detection of fraud in this case occurs after the actual fraudulent event has occurred, and in many cases, the carrier has already incurred a financial loss. Any actions taken to remediate (example: block the caller) can only be applied to the next time a relevant event appears in the network.